﻿<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head profile="http://dublincore.org/documents/2008/08/04/dc-html/">
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta name="robots" content="index,follow">
    <meta name="creator" content="rfcmarkup version 1.108">
    <link rel="schema.DC" href="http://purl.org/dc/elements/1.1/">
<meta name="DC.Relation.Replaces" content="draft-narayan-isms-sshsm-radius">
<meta name="DC.Identifier" content="urn:ietf:rfc:5608">
<meta name="DC.Date.Issued" content="August, 2009">
<meta name="DC.Creator" content="Narayan, Kaushik">
<meta name="DC.Creator" content="Nelson, David">
<meta name="DC.Description.Abstract" content="This memo describes the use of a Remote Authentication Dial-In User\nService (RADIUS) authentication and authorization service with Simple\nNetwork Management Protocol (SNMP) secure Transport Models to\nauthenticate users and authorize creation of secure transport\nsessions. While the recommendations of this memo are generally\napplicable to a broad class of SNMP Transport Models, the examples\nfocus on the Secure Shell (SSH) Transport Model. [STANDARDS-TRACK]">
<meta name="DC.Title" content="Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models">

    <link rel="icon" href="" type="image/png">
    <link rel="shortcut icon" href="" type="image/png">
    <title>RFC 5608 - Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models</title>
    
    
    <style type="text/css">
	body {
	    margin: 0px 8px;
            font-size: 1em;
	}
        h1, h2, h3, h4, h5, h6, .h1, .h2, .h3, .h4, .h5, .h6 {
	    font-weight: bold;
            line-height: 0pt;
            display: inline;
            white-space: pre;
            font-family: monospace;
            font-size: 1em;
	    font-weight: bold;
        }
        pre {
            font-size: 1em;
            margin-top: 0px;
            margin-bottom: 0px;
        }
	.pre {
	    white-space: pre;
	    font-family: monospace;
	}
	.header{
	    font-weight: bold;
	}
        .newpage {
            page-break-before: always;
        }
        .invisible {
            text-decoration: none;
            color: white;
        }
        a.selflink {
          color: black;
          text-decoration: none;
        }
        @media print {
            body {
                font-family: monospace;
                font-size: 10.5pt;
            }
            h1, h2, h3, h4, h5, h6 {
                font-size: 1em;
            }
        
            a:link, a:visited {
                color: inherit;
                text-decoration: none;
            }
            .noprint {
                display: none;
            }
        }
	@media screen {
	    .grey, .grey a:link, .grey a:visited {
		color: #777;
	    }
            .docinfo {
                background-color: #EEE;
            }
            .top {
                border-top: 7px solid #EEE;
            }
            .bgwhite  { background-color: white; }
            .bgred    { background-color: #F44; }
            .bggrey   { background-color: #666; }
            .bgbrown  { background-color: #840; }            
            .bgorange { background-color: #FA0; }
            .bgyellow { background-color: #EE0; }
            .bgmagenta{ background-color: #F4F; }
            .bgblue   { background-color: #66F; }
            .bgcyan   { background-color: #4DD; }
            .bggreen  { background-color: #4F4; }

            .legend   { font-size: 90%; }
            .cplate   { font-size: 70%; border: solid grey 1px; }
	}
    </style>
    <!--[if IE]>
    <style>
    body {
       font-size: 13px;
       margin: 10px 10px;
    }
    </style>
    <![endif]-->

    
</head>
<body>
   <div style="height: 13px;">
      <div onmouseover="this.style.cursor='pointer';" onclick="showElem('legend');" onmouseout="hideElem('legend')" style="height: 6px; position: absolute;" class="pre noprint docinfo bgblue" title="Click for colour legend.">                                                                        </div>
      <div id="legend" class="docinfo noprint pre legend" style="position:absolute; top: 4px; left: 4ex; visibility:hidden; background-color: white; padding: 4px 9px 5px 7px; border: solid #345 1px; " onmouseover="showElem('legend');" onmouseout="hideElem('legend');">
      </div>
   </div>
<span class="pre noprint docinfo top">[<a href="https://tools.ietf.org/html" title="Document search and retrieval page">Docs</a>] [<a href="https://tools.ietf.org/rfc/rfc5608.txt" title="Plaintext version of this document">txt</a>|<a href="https://tools.ietf.org/pdf/rfc5608" title="PDF version of this document">pdf</a>] [<a href="https://tools.ietf.org/html/draft-ietf-isms-radius-usage" title="draft-ietf-isms-radius-usage">draft-ietf-isms-r...</a>] [<a href="https://tools.ietf.org/rfcdiff?difftype=--hwdiff&amp;url2=rfc5608" title="Inline diff (wdiff)">Diff1</a>] [<a href="https://tools.ietf.org/rfcdiff?url2=rfc5608" title="Side-by-side diff">Diff2</a>] [<a href="http://www.rfc-editor.org/errata_search.php?rfc=5608">Errata</a>]        </span><br>
<span class="pre noprint docinfo">                                                                        </span><br>
<span class="pre noprint docinfo">                                                       PROPOSED STANDARD</span><br>
<span class="pre noprint docinfo">                                                            <span style="color: #C00;">Errata Exist</span></span><br>
<pre>Network Working Group                                         K. Narayan
Request for Comments: 5608                           Cisco Systems, Inc.
Category: Standards Track                                      D. Nelson
                                                   Elbrys Networks, Inc.
                                                             August 2009


     <span class="h1"><h1>Remote Authentication Dial-In User Service (RADIUS) Usage for</h1></span>
       <span class="h1"><h1>Simple Network Management Protocol (SNMP) Transport Models</h1></span>

Abstract

   This memo describes the use of a Remote Authentication Dial-In User
   Service (RADIUS) authentication and authorization service with Simple
   Network Management Protocol (SNMP) secure Transport Models to
   authenticate users and authorize creation of secure transport
   sessions.  While the recommendations of this memo are generally
   applicable to a broad class of SNMP Transport Models, the examples
   focus on the Secure Shell (SSH) Transport Model.

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to <a href="https://tools.ietf.org/html/bcp78">BCP 78</a> and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may




<span class="grey">Narayan &amp; Nelson            Standards Track                     [Page 1]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-2" id="page-2" href="#page-2" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5608">RFC 5608</a>         RADIUS Usage for SNMP Transport Models      August 2009</span>


   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Table of Contents

   <a href="#section-1">1</a>. Introduction ....................................................<a href="#page-2">2</a>
      <a href="#section-1.1">1.1</a>. General ....................................................<a href="#page-2">2</a>
      <a href="#section-1.2">1.2</a>. Requirements Language ......................................<a href="#page-3">3</a>
      <a href="#section-1.3">1.3</a>. System Block Diagram .......................................<a href="#page-3">3</a>
      <a href="#section-1.4">1.4</a>. RADIUS Operational Model ...................................<a href="#page-3">3</a>
      <a href="#section-1.5">1.5</a>. RADIUS Usage with Secure Transports ........................<a href="#page-5">5</a>
      <a href="#section-1.6">1.6</a>. Domain of Applicability ....................................<a href="#page-5">5</a>
      <a href="#section-1.7">1.7</a>. SNMP Transport Models ......................................<a href="#page-6">6</a>
   <a href="#section-2">2</a>. RADIUS Usage for SNMP Transport Models ..........................<a href="#page-7">7</a>
      <a href="#section-2.1">2.1</a>. RADIUS Authentication for Transport Protocols ..............<a href="#page-8">8</a>
      <a href="#section-2.2">2.2</a>. RADIUS Authorization for Transport Protocols ...............<a href="#page-8">8</a>
      <a href="#section-2.3">2.3</a>. SNMP Service Authorization .................................<a href="#page-9">9</a>
   <a href="#section-3">3</a>. Table of Attributes ............................................<a href="#page-11">11</a>
   <a href="#section-4">4</a>. Security Considerations ........................................<a href="#page-12">12</a>
   <a href="#section-5">5</a>. Acknowledgements ...............................................<a href="#page-13">13</a>
   <a href="#section-6">6</a>. References .....................................................<a href="#page-13">13</a>
      <a href="#section-6.1">6.1</a>. Normative References ......................................<a href="#page-13">13</a>
      <a href="#section-6.2">6.2</a>. Informative References ....................................<a href="#page-13">13</a>

<span class="h2"><h2><a class="selflink" name="section-1" href="#section-1">1</a>.  Introduction</h2></span>

<span class="h3"><h3><a class="selflink" name="section-1.1" href="#section-1.1">1.1</a>.  General</h3></span>

   This memo describes the use of a Remote Authentication Dial-In User
   Service (RADIUS) authentication and authorization service by Simple
   Network Management Protocol (SNMP) secure Transport Models to
   authenticate users and authorize creation of secure transport
   sessions.  While the recommendations of this memo are generally
   applicable to a broad class of SNMP Transport Models, the examples
   focus on the Secure Shell Transport Model.

   In the context of this document, a Network Access Server (NAS) is a
   network device or host that contains an SNMP engine implementation,
   utilizing SNMP Transport Models.  It is customary in SNMP documents
   to indicate which subsystem performs specific processing tasks.  In
   this document, we leave such decisions to the implementer, as is
   customary for RADIUS documents, and simply specify NAS behavior.
   Such processing would quite likely be implemented in the secure
   transport module.






<span class="grey">Narayan &amp; Nelson            Standards Track                     [Page 2]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-3" id="page-3" href="#page-3" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5608">RFC 5608</a>         RADIUS Usage for SNMP Transport Models      August 2009</span>


<span class="h3"><h3><a class="selflink" name="section-1.2" href="#section-1.2">1.2</a>.  Requirements Language</h3></span>

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [<a href="https://tools.ietf.org/html/rfc2119" title="&quot;Key words for use in RFCs to Indicate Requirement Levels&quot;">RFC2119</a>].

<span class="h3"><h3><a class="selflink" name="section-1.3" href="#section-1.3">1.3</a>.  System Block Diagram</h3></span>

   A block diagram of the major system components referenced in this
   document may be useful to understanding the text that follows.

                                         +--------+
              +......................... |RADIUS  |....+
              .                          |Server  |    .
            Shared                       +--------+    .
            User                             |         .
            Credentials             RADIUS   |      Shared
              .                              |      RADIUS
              .                              |      Secret
              .                              |         .
     +-------------+                  +-----------------+
     | Network     |                  | RADIUS Client / |
     | Management  |       SNMP       | SNMP Engine /   |
     | Application |------------------| Network Device  |
     +-------------+       SSH        +-----------------+

                               Block Diagram

   This diagram illustrates that a network management application
   communicates with a network device, the managed entity, using SNMP
   over SSH.  The network devices uses RADIUS to communicate with a
   RADIUS server to authenticate the network management application (or
   the user whose credentials that application provides) and to obtain
   authorization information related to access via SNMP for purpose of
   device management.  Other secure transport protocols might be used
   instead of SSH.

<span class="h3"><h3><a class="selflink" name="section-1.4" href="#section-1.4">1.4</a>.  RADIUS Operational Model</h3></span>

   The RADIUS protocol [<a href="https://tools.ietf.org/html/rfc2865" title="&quot;Remote Authentication Dial In User Service (RADIUS)&quot;">RFC2865</a>] provides authentication and
   authorization services for network access devices, usually referred
   to as a Network Access Server (NAS).  The RADIUS protocol operates,
   at the most simple level, as a request-response mechanism.  RADIUS
   clients, within the NAS, initiate a transaction by sending a RADIUS
   Access-Request message to a RADIUS server, with which the client
   shares credentials.  The RADIUS server will respond with either an
   Access-Accept message or an Access-Reject message.




<span class="grey">Narayan &amp; Nelson            Standards Track                     [Page 3]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-4" id="page-4" href="#page-4" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5608">RFC 5608</a>         RADIUS Usage for SNMP Transport Models      August 2009</span>


   RADIUS supports authentication methods compatible with plaintext
   username and password mechanisms, MD5 Challenge/Response mechanisms,
   Extensible Authentication Protocol (EAP) mechanisms, and HTTP Digest
   mechanisms.  Upon presentation of identity and credentials, the user
   is either accepted or rejected.  RADIUS servers indicate a successful
   authentication by returning an Access-Accept message.  An Access-
   Reject message indicates unsuccessful authentication.

   Access-Accept messages are populated with one or more service
   provisioning attributes, which control the type and extent of service
   provided to the user at the NAS.  The authorization portion may be
   thought of as service provisioning.  Based on the configuration of
   the user's account on the RADIUS server, upon authentication, the NAS
   is provided with instructions as to what type of service to provide
   to the user.  When that service provisioning does not match the
   capabilities of the NAS, or of the particular interface to the NAS
   over which the user is requesting access, <a href="https://tools.ietf.org/html/rfc2865">RFC 2865</a> [<a href="https://tools.ietf.org/html/rfc2865" title="&quot;Remote Authentication Dial In User Service (RADIUS)&quot;">RFC2865</a>] requires
   that the NAS MUST reject the access request.  <a href="https://tools.ietf.org/html/rfc2865">RFC 2865</a> describes
   service provisioning attributes for management access to a NAS, as
   well as various terminal emulation and packet forwarding services on
   the NAS.  This memo describes specific RADIUS service provisioning
   attributes that are useful with secure transports and SNMP Transport
   Models.

   RADIUS servers are often deployed on an enterprise-wide or
   organization-wide basis, covering a variety of disparate use cases.
   In such deployments, all NASes and all users are serviced by a common
   pool of RADIUS servers.  In many deployments, the RADIUS server will
   handle requests from many different types of NASes with different
   capabilities, and different types of interfaces, services, and
   protocol support.

   In order for a RADIUS server to make the correct authorization
   decision in all cases, the server will often need to know something
   about the type of NAS at which the user is requesting access, the
   type of service that the user is requesting, and the role of the user
   in the organization.  For example, many users may be authorized to
   receive network access via a Remote Access Server (RAS), Virtual
   Private Network (VPN) server, or LAN access switch.  Typically only a
   small sub-set of all users are authorized to access the
   administrative interfaces of network infrastructure devices, e.g.,
   the Command Line Interface (CLI) or SNMP engine of switches and
   routers.

   In order for the RADIUS server to have information regarding the type
   of access being requested, it is common for the NAS (i.e., the RADIUS
   client) to include "hint" attributes in the RADIUS Access-Request
   message, describing the NAS and the type of service being requested.



<span class="grey">Narayan &amp; Nelson            Standards Track                     [Page 4]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-5" id="page-5" href="#page-5" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5608">RFC 5608</a>         RADIUS Usage for SNMP Transport Models      August 2009</span>


   This document recommends appropriate "hint" attributes for the SNMP
   service type.

<span class="h3"><h3><a class="selflink" name="section-1.5" href="#section-1.5">1.5</a>.  RADIUS Usage with Secure Transports</h3></span>

   Some secure transport protocols that can be used with SNMP Transport
   Models have defined authentication protocols supporting several
   authentication methods.  For example, the Secure Shell (SSH)
   Authentication protocol [<a href="https://tools.ietf.org/html/rfc4252" title="&quot;The Secure Shell (SSH) Authentication Protocol&quot;">RFC4252</a>] supports multiple methods
   (including public key, password, and host-based) to authenticate SSH
   clients.

   SSH Server integration with RADIUS traditionally uses the username
   and password mechanism.

   Secure transport protocols do not, however, specify how the transport
   interfaces to authentication clients, leaving such as implementation
   specific.  For example, the "password" method of SSH authentication
   primarily describes how passwords are acquired from the SSH client
   and transported to the SSH server, the interpretation of the password
   and validation against password databases is left to SSH server
   implementations.  SSH server implementations often use the Pluggable
   Authentication Modules [<a href="#ref-PAM" title="&quot;UNIFIED LOGIN WITH PLUGGABLE AUTHENTICATION MODULES (PAM)&quot;">PAM</a>] interface provided by operating systems
   such as Linux and Solaris to integrate with password-based network
   authentication mechanisms such as RADIUS, TACACS+ (Terminal Access
   Controller Access-Control System Plus), Kerberos, etc.

   Secure transports do not typically specify how to utilize
   authorization information obtained from a AAA service, such as
   RADIUS.  More often, user authentication is sufficient to cause the
   secure transport server to begin delivering service to the user.
   Access control in these situations is supplied by the application to
   which the secure transport server session is attached.  For example,
   if the application is a Linux shell, the user's access rights are
   controlled by that user account's group membership and the file
   system access protections.  This behavior does not closely follow the
   traditional service provisioning model of AAA systems, such as
   RADIUS.

<span class="h3"><h3><a class="selflink" name="section-1.6" href="#section-1.6">1.6</a>.  Domain of Applicability</h3></span>

   Most of the RADIUS Attributes referenced in this document have broad
   applicability for provisioning remote management access to NAS
   devices using SNMP.  However, the selection of secure transport
   protocols has special considerations.  This document does not specify
   details of the integration of secure transport protocols with a
   RADIUS client in the NAS implementation.  However, there are
   functional requirements for correct application of framed management



<span class="grey">Narayan &amp; Nelson            Standards Track                     [Page 5]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-6" id="page-6" href="#page-6" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5608">RFC 5608</a>         RADIUS Usage for SNMP Transport Models      August 2009</span>


   protocols and secure transport protocols that will limit the
   selection of such protocols that can be considered for use with
   RADIUS.  Since the RADIUS user credentials are obtained by the RADIUS
   client from the secure transport protocol server, or in some cases
   directly from the SNMP engine, the secure transport protocol, and its
   implementation in the NAS, MUST support forms of credentials that are
   compatible with the authentication methods supported by RADIUS.

   RADIUS currently supports the following user authentication methods,
   although others may be added in the future:

   o  Password - <a href="https://tools.ietf.org/html/rfc2865">RFC 2865</a>

   o  CHAP (Challenge Handshake Authentication Protocol) - <a href="https://tools.ietf.org/html/rfc2865">RFC 2865</a>

   o  ARAP (Apple Remote Access Protocol) - <a href="https://tools.ietf.org/html/rfc2869">RFC 2869</a>

   o  EAP (Extensible Authentication Protocol) - <a href="https://tools.ietf.org/html/rfc2869">RFC 2869</a>, <a href="https://tools.ietf.org/html/rfc3579">RFC 3579</a>

   o  HTTP Digest - <a href="https://tools.ietf.org/html/rfc5090">RFC 5090</a>

   The secure transport protocols selected for use with RADIUS and SNMP
   obviously need to support user authentication methods that are
   compatible with those that exist in RADIUS.  The RADIUS
   authentication methods most likely usable with these protocols are
   Password, CHAP, and possibly HTTP Digest, with Password being the
   distinct common denominator.  There are many secure transports that
   support other, more robust, authentication mechanisms, such as public
   key.  RADIUS has no support for public key authentication, except
   within the context of an EAP Method.  The applicability statement for
   EAP indicates that it is not intended for use as an application-layer
   authentication mechanism, so its use with the mechanisms described in
   this document is NOT RECOMMENDED.  In some cases, Password may be the
   only compatible RADIUS authentication method available.

<span class="h3"><h3><a class="selflink" name="section-1.7" href="#section-1.7">1.7</a>.  SNMP Transport Models</h3></span>

   The Transport Subsystem for SNMP [<a href="https://tools.ietf.org/html/rfc5590" title="&quot;Transport Subsystem for the Simple Network Management Protocol (SNMP)&quot;">RFC5590</a>] defines a mechanism for
   providing transport layer security (TLS) for SNMP, allowing protocols
   such as SSH and TLS to be used to secure SNMP communication.  The
   Transport Subsystem allows the modular definition of Transport Models
   for multiple secure transport protocols.  Transport Models rely upon
   the underlying secure transport for user authentication services.
   The Transport Model (TM) then maps the authenticated identity to a
   model-independent principal, which it stores in the tmStateReference.
   When the selected security model is the Transport Security Model
   (TSM), the expected behavior is for the securityName to be set by the




<span class="grey">Narayan &amp; Nelson            Standards Track                     [Page 6]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-7" id="page-7" href="#page-7" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5608">RFC 5608</a>         RADIUS Usage for SNMP Transport Models      August 2009</span>


   TSM from the authenticated principal information stored in the
   tmStateReference by the TM.

   The Secure Shell protocol provides a secure transport channel with
   support for channel authentication via local accounts and integration
   with various external authentication and authorization services such
   as RADIUS, Kerberos, etc.  The Secure Shell Transport Model [<a href="https://tools.ietf.org/html/rfc5592" title="&quot;Secure Shell Transport Model for Simple Network Management Protocol (SNMP)&quot;">RFC5592</a>]
   defines the use of the Secure Shell protocol as the basis for a
   Transport Model.

<span class="h2"><h2><a class="selflink" name="section-2" href="#section-2">2</a>.  RADIUS Usage for SNMP Transport Models</h2></span>

   There are two use cases for RADIUS support of management access via
   SNMP.  These are (a) service authorization and (b) access control
   authorization.  RADIUS almost always involves user authentication as
   prerequisite to authorization, and there is a user authentication
   phase for each of these two use cases.  The first use case is
   discussed in detail in this memo, while the second use case is a
   topic of current research, and beyond the scope of this document.
   This document describes the way in which RADIUS attributes and
   messages are applied to the specific application area of SNMP
   Transport Models.  User authentication and service authorization via
   RADIUS are undertaken by the secure transport module, that underlies
   the SNMP Transport Model.

   User authentication for SNMP Transport Models has the same syntax and
   semantics as user authentication for any other network service.  In
   the context of SNMP, the "user" is thought of as a "principal" and
   may represent a host, an application, or a human.

   Service authorization allows a RADIUS server to authorize an
   authenticated principal to use SNMP, optionally over a secure
   transport, typically using an SNMP Transport Model.  This memo
   describes mechanisms by which such information can be requested from
   a RADIUS server and enforced within the NAS.  An SNMP architecture,
   [<a href="https://tools.ietf.org/html/rfc3411" title="&quot;An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks&quot;">RFC3411</a>], does not make a distinction between user authentication
   and service authorization.  In the case of existing, deployed
   security models, such as the User-based Security Model (USM), this
   distinction is not significant.  For SNMP Transport Models, this
   distinction is relevant and important.

   It is relevant because of the way in which SSH implementations have
   traditionally integrated with RADIUS clients.  Those SSH
   implementations traditionally seek to obtain user authentication
   (e.g., validation of a username and password) from an outside
   authentication service, often via a PAM-style interface.  The service
   authorization in traditional SSH server implementations comes via the
   restrictions that the operating system (OS) shell (and file system,



<span class="grey">Narayan &amp; Nelson            Standards Track                     [Page 7]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-8" id="page-8" href="#page-8" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5608">RFC 5608</a>         RADIUS Usage for SNMP Transport Models      August 2009</span>


   etc.) place on the user by means of access controls tied to the
   username or the username's membership in various user groups.  These
   OS-style access controls are distinct from the service provisioning
   features of RADIUS.  If we wish to use existing SSH server
   implementations, or slightly adapt them, for use with SNMP Transport
   Models, and we wish to support RADIUS-provisioned service
   authorization, we need to be aware that the RADIUS service
   authorization information will need to be obtained by the relevant
   SNMP models from the SSH module.

   One reason that RADIUS-provisioned service authorization is important
   is that in many deployments, the RADIUS server's back-end
   authentication database contains credentials for many classes of
   users, only a small portion of which may be authorized to access the
   management interfaces of managed entities (NASes) via SNMP.  This is
   in contrast to the way USM for SNMP works, in which all principals
   entered to the local configuration data-store are authorized for
   access to the managed entity.  In the absence of RADIUS-provisioned
   service authorization, network management access may be granted to
   unauthorized, but properly authenticated, users.  With SNMPv3, an
   appropriately configured Access Control Model would serve to
   alleviate the risk of unauthorized access.

<span class="h3"><h3><a class="selflink" name="section-2.1" href="#section-2.1">2.1</a>.  RADIUS Authentication for Transport Protocols</h3></span>

   This document will rely on implementation specific integration of the
   transport protocols with RADIUS clients for user authentication.

   It is REQUIRED that the integration of RADIUS clients with transport
   protocols utilize appropriate "hint" attributes in RADIUS Access-
   Request messages, to signal to the RADIUS server the type of service
   being requested over the transport session.  Specific attributes for
   use with SNMP Transport Models are recommended in this document.

   RADIUS servers, compliant to this specification, MAY use RADIUS
   "hint" attributes, as described herein, to inform the decision
   whether to accept or reject the authentication request.

<span class="h3"><h3><a class="selflink" name="section-2.2" href="#section-2.2">2.2</a>.  RADIUS Authorization for Transport Protocols</h3></span>

   In compliance with <a href="https://tools.ietf.org/html/rfc2865">RFC 2865</a>, NASes MUST enforce implicitly mandatory
   attributes, such as Service-Type, within an Access-Accept message.
   NASes MUST treat Access-Accept messages that attempt to provision
   unsupported services as if they were an Access-Reject.  NASes SHOULD
   treat unknown attributes as if they were provisioning unsupported
   services.  See [<a href="https://tools.ietf.org/html/rfc5080" title="&quot;Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes&quot;">RFC5080</a>] for additional details.





<span class="grey">Narayan &amp; Nelson            Standards Track                     [Page 8]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-9" id="page-9" href="#page-9" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5608">RFC 5608</a>         RADIUS Usage for SNMP Transport Models      August 2009</span>


   A NAS that is compliant to this specification MUST treat any RADIUS
   Access-Accept message that provisions a level of transport protection
   (e.g., SSH) that cannot be provided, and/or application service
   (e.g., SNMP) that cannot be provided over that transport, as if an
   Access-Reject message had been received instead.  The RADIUS Service-
   Type Attribute is the primary indicator of the service being
   provisioned, although other attributes may also convey service
   provisioning information.

   For traditional SSH usage, RADIUS servers typically provision
   management access service, as SSH is often used to access the command
   line shell of a host system, e.g., the NAS.  <a href="https://tools.ietf.org/html/rfc2865">RFC 2865</a> defines two
   types of management access service attributes, one for privileged
   access to the Command Line Interface (CLI) of the NAS and one for
   non-privileged CLI access.  These traditional management access
   services are not used with SNMP.  [<a href="https://tools.ietf.org/html/rfc5607" title="&quot;Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management&quot;">RFC5607</a>] describes further RADIUS
   service provisioning attributes for management access to the NAS,
   including SNMP access.

<span class="h3"><h3><a class="selflink" name="section-2.3" href="#section-2.3">2.3</a>.  SNMP Service Authorization</h3></span>

   The Transport Subsystem for SNMP [<a href="https://tools.ietf.org/html/rfc5590" title="&quot;Transport Subsystem for the Simple Network Management Protocol (SNMP)&quot;">RFC5590</a>] defines the notion of a
   session, although the specifics of how sessions are managed is left
   to Transport Models.  The Transport Subsystem defines some basic
   requirements for transport protocols around creation and deletion of
   sessions.  This memo specifies additional requirements for transport
   protocols during session creation and for session termination.

   RADIUS servers compliant to this specification MUST use RADIUS
   service provisioning attributes, as described herein, to specify SNMP
   access over a secure transport.  Such RADIUS servers MAY use RADIUS
   "hint" attributes included in the Access-Request message, as
   described herein, in determining what, if any, service to provision.

   NASes compliant to this specification MUST use RADIUS service
   provisioning attributes, as described in this section, when they are
   present in a RADIUS Access-Accept message, to determine whether the
   session can be created, and they MUST enforce the service
   provisioning decisions of the RADIUS server.

   The following RADIUS attributes MUST be used, as "hint" attributes
   included in the Access-Request message to signal use of SNMP over a
   secure transport (i.e., authPriv) to the RADIUS server:

   1.  Service-Type with a value of Framed-Management.

   2.  Framed-Management-Protocol with a value of SNMP.




<span class="grey">Narayan &amp; Nelson            Standards Track                     [Page 9]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-10" id="page-10" href="#page-10" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5608">RFC 5608</a>         RADIUS Usage for SNMP Transport Models      August 2009</span>


   3.  Management-Transport-Protection with a value of Integrity-
       Confidentiality-Protection.

   The following RADIUS attributes MUST be used in an Access-Accept
   message to provision SNMP over a secure transport that provides both
   integrity and confidentiality (i.e., authPriv):

   1.  Service-Type with a value of Framed-Management.

   2.  Framed-Management-Protocol with a value of SNMP.

   3.  Management-Transport-Protection with a value of Integrity-
       Confidentiality-Protection.

   The following RADIUS attributes MUST be optionally used, to authorize
   use of SNMP without protection (i.e., authNoPriv):

   1.  Service-Type with a value of Framed-Management.

   2.  Framed-Management-Protocol with a value of SNMP.

   3.  Management-Transport-Protection with a value of No-Protection.

   There are no combinations of RADIUS attributes that denote the
   equivalent of SNMP noAuthNoPriv access, as RADIUS always involves the
   authentication of a user (i.e., a principal) as a prerequisite for
   authorization.  RADIUS can be used to provide an "Authorize-Only"
   service, but only when the request contains a "cookie" from a
   previous successful authentication with the same RADIUS server (i.e.,
   the RADIUS State Attribute).

   The following RADIUS attributes are used to limit the extent of a
   secure transport session carrying SNMP traffic, in conjunction with
   an SNMP Transport Model:

   1.  Session-Timeout

   2.  Inactivity-Timeout.

   Refer to [<a href="https://tools.ietf.org/html/rfc2865" title="&quot;Remote Authentication Dial In User Service (RADIUS)&quot;">RFC2865</a>] for a detailed description of these attributes.
   The Session-Timeout Attribute indicates the maximum number of seconds
   that a session may exist before it is unconditionally disconnected.
   The Inactivity-Timeout Attribute indicates the maximum number of
   seconds that a transport session may exist without any protocol
   activity (messages sent or received) before the session is
   disconnected.  These timeouts are enforced by the NAS.





<span class="grey">Narayan &amp; Nelson            Standards Track                    [Page 10]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-11" id="page-11" href="#page-11" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5608">RFC 5608</a>         RADIUS Usage for SNMP Transport Models      August 2009</span>


<span class="h2"><h2><a class="selflink" name="section-3" href="#section-3">3</a>.  Table of Attributes</h2></span>

   Table 1 provides a guide to which attributes may be found in which
   kinds of packets, and in what quantity.

   Access-
   Request Accept Reject Challenge  #    Attribute
   ---------------------------------------------------------------------
   0-1     0        0        0       1   User-Name        [<a href="https://tools.ietf.org/html/rfc2865" title="&quot;Remote Authentication Dial In User Service (RADIUS)&quot;">RFC2865</a>]
   0-1     0        0        0       2   User-Password    [<a href="https://tools.ietf.org/html/rfc2865" title="&quot;Remote Authentication Dial In User Service (RADIUS)&quot;">RFC2865</a>]
   0-1 *   0        0        0       4   NAS-IP-Address   [<a href="https://tools.ietf.org/html/rfc2865" title="&quot;Remote Authentication Dial In User Service (RADIUS)&quot;">RFC2865</a>]
   0-1 *   0        0        0      95   NAS-IPv6-Address [<a href="https://tools.ietf.org/html/rfc3162" title="&quot;RADIUS and IPv6&quot;">RFC3162</a>]
   0-1 *   0        0        0      32   NAS-Identifier   [<a href="https://tools.ietf.org/html/rfc2865" title="&quot;Remote Authentication Dial In User Service (RADIUS)&quot;">RFC2865</a>]
   0-1     0-1      0        0       6   Service-Type     [<a href="https://tools.ietf.org/html/rfc2865" title="&quot;Remote Authentication Dial In User Service (RADIUS)&quot;">RFC2865</a>]
   0-1     0-1      0        0-1    24   State            [<a href="https://tools.ietf.org/html/rfc2865" title="&quot;Remote Authentication Dial In User Service (RADIUS)&quot;">RFC2865</a>]
   0       0-1      0        0      27   Session-Timeout  [<a href="https://tools.ietf.org/html/rfc2865" title="&quot;Remote Authentication Dial In User Service (RADIUS)&quot;">RFC2865</a>]
   0       0-1      0        0      28   Idle-Timeout     [<a href="https://tools.ietf.org/html/rfc2865" title="&quot;Remote Authentication Dial In User Service (RADIUS)&quot;">RFC2865</a>]
   0-1     0-1      0-1      0-1    80   Message-Authenticator [<a href="https://tools.ietf.org/html/rfc3579" title="&quot;RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)&quot;">RFC3579</a>]
   0-1     0-1      0        0     133   Framed-Management-Protocol
                                          [<a href="https://tools.ietf.org/html/rfc5607" title="&quot;Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management&quot;">RFC5607</a>]
   0-1     0-1      0        0     134   Management-Transport-Protection
                                          [<a href="https://tools.ietf.org/html/rfc5607" title="&quot;Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management&quot;">RFC5607</a>]

                                  Table 1

   Table 2 defines the meaning of the entries in Table 1.

   0    This attribute MUST NOT be present in a packet.
   0+   Zero or more instances of this attribute MAY be present in
        a packet.
   0-1  Zero or one instance of this attribute MAY be present in
        a packet.
   1    Exactly one instance of this attribute MUST be present in
        a packet.
   *    Only one of these attribute options SHOULD be included.

                                  Table 2

   SSH integration with RADIUS traditionally uses usernames and
   passwords (with the User-Password Attribute), but other secure
   transports could use other authentication mechanisms, and would
   include RADIUS authentication attributes appropriate for that
   mechanism instead of User-Password.

   This document does not describe the usage of RADIUS Accounting or
   Dynamic RADIUS Re-Authorization.  Such RADIUS usages are not
   currently envisioned for SNMP, and are beyond the scope of this
   document.



<span class="grey">Narayan &amp; Nelson            Standards Track                    [Page 11]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-12" id="page-12" href="#page-12" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5608">RFC 5608</a>         RADIUS Usage for SNMP Transport Models      August 2009</span>


<span class="h2"><h2><a class="selflink" name="section-4" href="#section-4">4</a>.  Security Considerations</h2></span>

   This specification describes the use of RADIUS for purposes of
   authentication and authorization.  Threats and security issues for
   this application are described in [<a href="https://tools.ietf.org/html/rfc3579" title="&quot;RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)&quot;">RFC3579</a>] and [<a href="https://tools.ietf.org/html/rfc3580" title="&quot;IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines&quot;">RFC3580</a>]; security
   issues encountered in roaming are described in [<a href="https://tools.ietf.org/html/rfc2607" title="&quot;Proxy Chaining and Policy Implementation in Roaming&quot;">RFC2607</a>].

   Additional security considerations for use of SNMP with secure
   Transport Models [<a href="https://tools.ietf.org/html/rfc5590" title="&quot;Transport Subsystem for the Simple Network Management Protocol (SNMP)&quot;">RFC5590</a>] and the Transport Security Model [<a href="https://tools.ietf.org/html/rfc5591" title="&quot;Transport Security Model for Simple Network Management Protocol (SNMP)&quot;">RFC5591</a>]
   are found in the "Security Considerations" sections of the respective
   documents.

   If the SNMPv1 or SNMPv2c Security Model is used, then securityName
   comes from the community name, as per <a href="https://tools.ietf.org/html/rfc3584">RFC 3584</a>.  If the User-based
   Security Model is selected, then securityName is determined using
   USM.  This may not be what is expected when using an SNMP secure
   Transport Model with an external authentication service, such as
   RADIUS.

   Simultaneously using a secure transport with RADIUS authentication
   and authorization, and the SNMPv1 or SNMPv2c or USM security models
   is NOT RECOMMENDED.  See the "Coexistence, Security Parameters, and
   Access Control" section of [<a href="https://tools.ietf.org/html/rfc5590" title="&quot;Transport Subsystem for the Simple Network Management Protocol (SNMP)&quot;">RFC5590</a>].

   There are good reasons to provision USM access to supplement AAA-
   based access, however.  When the network is under duress, or the AAA-
   service is unreachable, for any reason, it is important to have
   access credentials stored in the local configuration data-store of
   the managed entity.  USM credentials are a likely way to fulfill this
   requirement.  This is analogous to configuring a local "root"
   password in the "/etc/passwd" file of a UNIX workstation, to be used
   as a backup means of login, for times when the Network Information
   Service (NIS) authentication service is unreachable.

   The Message-Authenticator (80) Attribute [<a href="https://tools.ietf.org/html/rfc3579" title="&quot;RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)&quot;">RFC3579</a>] SHOULD be used
   with RADIUS messages that are described in this memo.  This is useful
   because the Message-Authenticator Attribute is the best available
   mechanism in RADIUS as it stands today to provide tamper-evident
   integrity protection of the service provisioning attributes in an
   Access-Accept packet.  It is slightly less important for Access-
   Request packets, although it may be desirable to protect any "hint"
   attributes contained in those messages.  This protection mitigates
   the fact that RADIUS messages are not encrypted and that attributes
   could be added, deleted or modified by an adversary in a position to
   intercept the packet.






<span class="grey">Narayan &amp; Nelson            Standards Track                    [Page 12]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-13" id="page-13" href="#page-13" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5608">RFC 5608</a>         RADIUS Usage for SNMP Transport Models      August 2009</span>


<span class="h2"><h2><a class="selflink" name="section-5" href="#section-5">5</a>.  Acknowledgements</h2></span>

   The authors would like to acknowledge the contributions of David
   Harrington and Juergen Schoenwaelder for numerous helpful discussions
   in this space, and Wes Hardaker for his thoughtful review comments.

<span class="h2"><h2><a class="selflink" name="section-6" href="#section-6">6</a>.  References</h2></span>

<span class="h3"><h3><a class="selflink" name="section-6.1" href="#section-6.1">6.1</a>.  Normative References</h3></span>

   [<a name="ref-RFC2119" id="ref-RFC2119">RFC2119</a>]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", <a href="https://tools.ietf.org/html/bcp14">BCP 14</a>, <a href="https://tools.ietf.org/html/rfc2119">RFC 2119</a>, March 1997.

   [<a name="ref-RFC2865" id="ref-RFC2865">RFC2865</a>]  Rigney, C., Willens, S., Rubens, A., and W. Simpson,
              "Remote Authentication Dial In User Service (RADIUS)",
              <a href="https://tools.ietf.org/html/rfc2865">RFC 2865</a>, June 2000.

   [<a name="ref-RFC5080" id="ref-RFC5080">RFC5080</a>]  Nelson, D. and A. DeKok, "Common Remote Authentication
              Dial In User Service (RADIUS) Implementation Issues and
              Suggested Fixes", <a href="https://tools.ietf.org/html/rfc5080">RFC 5080</a>, December 2007.

   [<a name="ref-RFC5590" id="ref-RFC5590">RFC5590</a>]  Harrington, D. and J. Schoenwaelder, "Transport Subsystem
              for the Simple Network Management Protocol (SNMP)",
              <a href="https://tools.ietf.org/html/rfc5590">RFC 5590</a>, June 2009.

   [<a name="ref-RFC5591" id="ref-RFC5591">RFC5591</a>]  Harrington, D. and W. Hardaker, "Transport Security Model
              for Simple Network Management Protocol (SNMP)", <a href="https://tools.ietf.org/html/rfc5591">RFC 5591</a>,
              June 2009.

   [<a name="ref-RFC5607" id="ref-RFC5607">RFC5607</a>]  Nelson, D. and G. Weber, "Remote Authentication Dial-In
              User Service (RADIUS) Authorization for Network Access
              Server (NAS) Management", <a href="https://tools.ietf.org/html/rfc5607">RFC 5607</a>, July 2009.

<span class="h3"><h3><a class="selflink" name="section-6.2" href="#section-6.2">6.2</a>.  Informative References</h3></span>

   [<a name="ref-PAM" id="ref-PAM">PAM</a>]      Samar, V. and R. Schemers, "UNIFIED LOGIN WITH PLUGGABLE
              AUTHENTICATION MODULES (PAM)", Open Group <a href="https://tools.ietf.org/html/rfc86">RFC 86</a>.0,
              October 1995,
              &lt;<a href="http://www.opengroup.org/rfc/mirror-rfc/rfc86.0.txt">http://www.opengroup.org/rfc/mirror-rfc/rfc86.0.txt</a>&gt;.

   [<a name="ref-RFC2607" id="ref-RFC2607">RFC2607</a>]  Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
              Implementation in Roaming", <a href="https://tools.ietf.org/html/rfc2607">RFC 2607</a>, June 1999.

   [<a name="ref-RFC3162" id="ref-RFC3162">RFC3162</a>]  Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6",
              <a href="https://tools.ietf.org/html/rfc3162">RFC 3162</a>, August 2001.






<span class="grey">Narayan &amp; Nelson            Standards Track                    [Page 13]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-14" id="page-14" href="#page-14" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5608">RFC 5608</a>         RADIUS Usage for SNMP Transport Models      August 2009</span>


   [<a name="ref-RFC3411" id="ref-RFC3411">RFC3411</a>]  Harrington, D., Presuhn, R., and B. Wijnen, "An
              Architecture for Describing Simple Network Management
              Protocol (SNMP) Management Frameworks", STD 62, <a href="https://tools.ietf.org/html/rfc3411">RFC 3411</a>,
              December 2002.

   [<a name="ref-RFC3579" id="ref-RFC3579">RFC3579</a>]  Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
              Dial In User Service) Support For Extensible
              Authentication Protocol (EAP)", <a href="https://tools.ietf.org/html/rfc3579">RFC 3579</a>, September 2003.

   [<a name="ref-RFC3580" id="ref-RFC3580">RFC3580</a>]  Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese,
              "IEEE 802.1X Remote Authentication Dial In User Service
              (RADIUS) Usage Guidelines", <a href="https://tools.ietf.org/html/rfc3580">RFC 3580</a>, September 2003.

   [<a name="ref-RFC4252" id="ref-RFC4252">RFC4252</a>]  Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
              Authentication Protocol", <a href="https://tools.ietf.org/html/rfc4252">RFC 4252</a>, January 2006.

   [<a name="ref-RFC5592" id="ref-RFC5592">RFC5592</a>]  Harrington, D., Salowey, J., and W. Hardaker, "Secure
              Shell Transport Model for Simple Network Management
              Protocol (SNMP)", <a href="https://tools.ietf.org/html/rfc5592">RFC 5592</a>, June 2009.

Authors' Addresses

   Kaushik Narayan
   Cisco Systems, Inc.
   10 West Tasman Drive
   San Jose, CA  95134
   USA

   Phone: +1.408.526.8168
   EMail: kaushik_narayan@yahoo.com


   David Nelson
   Elbrys Networks, Inc.
   282 Corporate Drive
   Portsmouth, NH  03801
   USA

   Phone: +1.603.570.2636
   EMail: dnelson@elbrysnetworks.com











Narayan &amp; Nelson            Standards Track                    [Page 14]

</pre><br>
<span class="noprint"><small><small>Html markup produced by rfcmarkup 1.108, available from
<a href="http://tools.ietf.org/tools/rfcmarkup/">http://tools.ietf.org/tools/rfcmarkup/</a>
</small></small></span>

</body></html>